CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-2332

CVE-2026-2332: HTTP Request Smuggling in Eclipse Jetty via Chunked Extension Quoted-String Parsing

Alon Barad
Alon Barad
Software Engineer

Apr 15, 2026·5 min read·307 visits

Executive Summary (TL;DR)

Jetty incorrectly terminates HTTP/1.1 chunk extension parsing when encountering a newline inside a quoted string, allowing attackers to desynchronize proxies and back-ends to smuggle malicious requests.

Eclipse Jetty's HTTP/1.1 parser contains a state-machine flaw when handling chunked transfer encoding extensions, leading to critical HTTP Request Smuggling via "Funky Chunks" techniques.

Vulnerability Overview

Eclipse Jetty is susceptible to HTTP Request Smuggling (CWE-444) within its HTTP/1.1 parser. The vulnerability targets the parsing logic for chunked transfer encoding, specifically how the parser handles chunk extensions containing quoted strings. This flaw permits an attacker to desynchronize the request stream between a front-end proxy and the Jetty back-end.

The vulnerability is classified as a variant of the "Funky Chunks" exploitation methodology. It exploits ambiguous handling of line terminators within HTTP message bodies. By manipulating the chunk size parameters, an attacker can manipulate how different servers in the request chain interpret the start and end of HTTP requests.

Successful desynchronization occurs because the front-end proxy and the Jetty back-end disagree on the boundaries of the HTTP message. This disagreement allows the injection of a smuggled, secondary request that bypasses edge security controls and is executed directly by the internal application logic.

Root Cause Analysis

According to RFC 9112 and RFC 9110, HTTP/1.1 chunk extensions can encapsulate values within quoted strings. These quoted strings are strictly prohibited from containing raw Carriage Return Line Feed (CRLF) sequences. The vulnerability exists within the state machine of Jetty's HttpParser.java during the CHUNK_PARAMS parsing phase.

When the parser encounters a double quote character, it fails to securely bound the quoted-string state. Instead of rejecting a CRLF sequence encountered within the quotes, or treating it as a literal malformed character, Jetty prioritizes the global search for \r\n. The parser incorrectly interprets the embedded CRLF as the termination of the chunk header.

This premature termination creates a fundamental synchronization discrepancy. An RFC-compliant front-end proxy parses the chunk extension correctly, treating the embedded CRLF as part of a malformed extension and forwarding the payload as a single continuous request. The Jetty back-end stops parsing the chunk header at the first CRLF, interpreting the subsequent bytes as the chunk body and eventually as an entirely new HTTP request.

Code Analysis

The core vulnerability resides in the state-machine execution within HttpParser.java. During the processing of the CHUNK_PARAMS state, Jetty fails to suppress the detection of end-of-line markers when processing a quoted string.

The logic incorrectly prioritizes the structural markers of the HTTP protocol over the encapsulation rules of the quoted string parameter.

// Conceptual representation of the flawed parsing logic in Jetty
while (parsingChunkParams) {
    byte ch = buffer.get();
    if (ch == '"') {
        inQuotedString = !inQuotedString;
    }
    // VULNERABILITY: CRLF check executes regardless of inQuotedString state
    if (ch == '\n') {
        transitionTo(State.CHUNK_BODY);
    }
}

The patched implementations (e.g., in commit 91435debf6bb5b2701e96f2202962ea262d38236) modify this logic to properly track quoted string boundaries. The parser now implements strict validation to reject control characters like CR or LF within a quoted string, aligning the parser with RFC compliance and preventing premature header termination.

Exploitation Methodology

The "Funky Chunks" exploitation technique requires sending a specifically crafted HTTP POST request using chunked transfer encoding. The attacker injects a chunk extension containing an unclosed double quote followed by a raw newline.

POST / HTTP/1.1
Host: vulnerable-app.com
Transfer-Encoding: chunked
 
1;ext="val
X
0
 
GET /smuggled-endpoint HTTP/1.1
Host: internal-service

The proxy forwards this payload as a single request because the chunk extension does not appear properly terminated according to its internal logic. Jetty parses 1;ext="val and terminates the header at the newline.

Jetty reads X as the 1-byte chunk body declared by the hexadecimal 1. The subsequent 0 terminates the chunked stream for the first request, causing Jetty to process the GET /smuggled-endpoint payload as a secondary, smuggled request.

Desynchronization Mechanism

The exploit relies entirely on the behavioral difference between the proxy and the back-end server. The following sequence illustrates the stream interpretation.

The front-end proxy perceives the entire payload as a single, in-flight POST request. The Jetty back-end splits the stream, effectively executing the GET /smuggled-endpoint request in the context of the back-end connection pool.

Impact Assessment

Successful exploitation grants the attacker the ability to bypass front-end security controls, such as Web Application Firewalls (WAF) or access control lists (ACL). The smuggled request is processed directly by the back-end application, evading all edge validation.

Depending on the application routing, this flaw facilitates cache poisoning, cross-user session hijacking, and unauthorized access to restricted endpoints. An attacker can manipulate backend routing to extract sensitive data belonging to other users sharing the same connection pool.

The CVSS 3.1 base score is 7.4 (High), reflecting the significant impact on confidentiality and integrity. The attack complexity is rated High because successful exploitation explicitly requires a specific behavioral differential between the upstream proxy and the Jetty server.

Remediation and Mitigation

Administrators must upgrade Eclipse Jetty to versions 9.4.60, 10.0.28, 11.0.28, 12.0.33, or 12.1.7. These releases contain the corrected state machine logic for parsing HTTP/1.1 chunk extensions, neutralizing the vulnerability at the source.

If immediate patching is unfeasible, administrators can deploy interim mitigations at the proxy layer. Front-end load balancers or WAFs should be configured to strictly normalize HTTP/1.1 chunked requests. Stripping chunk extensions entirely before forwarding the request to the back-end neutralizes this specific exploitation vector.

As a defense-in-depth measure, disabling HTTP/1.1 keep-alive connections between the proxy and the back-end prevents request smuggling entirely. This approach ensures each request utilizes a distinct TCP connection, eliminating the shared stream required for desynchronization, though this incurs a notable performance penalty.

Official Patches

Eclipse FoundationOfficial Jetty Security Advisory GHSA-355h-qmc2-wpwf

Fix Analysis (1)

Technical Appendix

CVSS Score
7.4/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Probability
0.03%
Top 91% most exploited

Affected Systems

Eclipse Jetty 9.4.0 - 9.4.59Eclipse Jetty 10.0.0 - 10.0.27Eclipse Jetty 11.0.0 - 11.0.27Eclipse Jetty 12.0.0 - 12.0.32Eclipse Jetty 12.1.0 - 12.1.6Web applications utilizing vulnerable Jetty versions behind a reverse proxy

Affected Versions Detail

Product
Affected Versions
Fixed Version
Eclipse Jetty
Eclipse Foundation
9.4.0 <= version <= 9.4.599.4.60
Eclipse Jetty
Eclipse Foundation
10.0.0 <= version <= 10.0.2710.0.28
Eclipse Jetty
Eclipse Foundation
11.0.0 <= version <= 11.0.2711.0.28
Eclipse Jetty
Eclipse Foundation
12.0.0 <= version <= 12.0.3212.0.33
Eclipse Jetty
Eclipse Foundation
12.1.0 <= version <= 12.1.612.1.7
AttributeDetail
CWE IDCWE-444
Attack VectorNetwork
CVSS v3.1 Score7.4 (High)
EPSS Score0.00031
ImpactHigh Confidentiality, High Integrity
Exploit StatusProof-of-Concept (PoC)
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1139Adversary-in-the-Middle: HTTP Request Smuggling
Initial Access
CWE-444
Inconsistent Interpretation of HTTP Requests

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

Known Exploits & Detection

smugchunksScanner and testing toolkit for identifying Funky Chunks vulnerabilities

Vulnerability Timeline

Initial 'Funky Chunks' research published by Jeppe Bonde Weikop
2025-06-18
Addendum to 'Funky Chunks' research published detailing further techniques
2025-10-29
Fixes begin appearing in Jetty SNAPSHOT versions (v12.1.7-SNAPSHOT)
2026-01-27
CVE-2026-2332 officially published and advisories released
2026-04-14

References & Sources

  • [1]Jetty Security Advisory
  • [2]Eclipse CVE Assignment
  • [3]Funky Chunks Research Part 1
  • [4]Funky Chunks Research Part 2
  • [5]CVE Record CVE-2026-2332
  • [6]Jetty Project Commit 91435debf6bb5b2701e96f2202962ea262d38236

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•42 minutes ago•GHSA-PQG7-V6WH-3PFP
8.5

GHSA-pqg7-v6wh-3pfp: IP Spoofing and Access Control Bypass via HTTP Header Injection in TsDProxy

A high-severity input sanitization and header injection vulnerability in TsDProxy allows authenticated Tailscale users to inject arbitrary values into the X-Forwarded-For and X-Real-IP HTTP headers. Because downstream backend services frequently trust these headers to resolve client identities, attackers can exploit this flaw to bypass IP-based access control lists, audit logs, and geo-blocking restrictions.

Amit Schendel
Amit Schendel
2 views•5 min read
•about 1 hour ago•CVE-2026-54448
6.5

CVE-2026-54448: Denial of Service in Trivy Helm Chart Parser via Decompression Bomb

CVE-2026-54448 is a critical denial of service vulnerability in Trivy's Infrastructure-as-Code (IaC) misconfiguration scanning engine. Prior to version 0.71.0, Trivy utilized a custom archive parser to unpack Helm chart tarballs (.tgz) during automated scans. This custom implementation iterated through compressed files and loaded their entire raw contents into system memory using the io.ReadAll function without implementing size limits or threshold checks, enabling an attacker to trigger an immediate heap-allocation crash or system Out-of-Memory (OOM) termination using a decompression bomb.

Alon Barad
Alon Barad
3 views•7 min read
•about 2 hours ago•GHSA-9HC2-HJX8-Q6PV
9.6

GHSA-9HC2-HJX8-Q6PV: Remote Code Execution in TidGi Desktop via Malicious TiddlyWiki Repository Import

A critical remote code execution vulnerability exists in TidGi Desktop up to version 0.13.0. The flaw allows an attacker to execute arbitrary code with Node.js privileges when a user imports or clones a malicious TiddlyWiki repository. This occurs due to the automatic execution of 'startup' modules defined in user-imported tiddler files.

Alon Barad
Alon Barad
3 views•5 min read
•about 2 hours ago•GHSA-MQXV-9RM6-W8QC
8.7

GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass

A critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 3 hours ago•GHSA-HGJX-R89M-M7V4
9.9

GHSA-HGJX-R89M-M7V4: Remote Code Execution via Path Traversal in FacturaScripts

FacturaScripts is an open-source PHP-based enterprise resource planning (ERP) and billing software. A critical path traversal vulnerability in the file-handling logic allows authenticated attackers with file upload permissions to write arbitrary files to any location on the system writable by the web server user. By writing custom server configuration files (.htaccess) to directories excluded from default rewrite rules, attackers can map allowed file types (like .png) to the PHP interpreter, leading to full remote code execution.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 4 hours ago•GHSA-7RX3-5WX3-5V76
7.7

GHSA-7rx3-5wx3-5v76: Missing Authorization in Nebula-mesh Webhook Subscription API Enables Server-Side Request Forgery

Nebula-mesh allows non-admin operators to disable webhook SSRF (Server-Side Request Forgery) protection via the allow_private parameter. Low-privilege operators can configure webhook endpoints targeting internal endpoints and trigger lifecycle events on resources they own, bypassing network access controls.

Amit Schendel
Amit Schendel
6 views•4 min read